Re: Support WKD (and WKS) for @debian.org email addresses?
On Wed, 07 Nov 2018, W. Martin Borgert wrote: > Do we want WKD for debian.org, like gentoo.org and kernel.org? > > TIA for your opinions & Cheers I'd look at code that generates WKD and dane information for users that enable it in ldap. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: Support WKD (and WKS) for @debian.org email addresses?
Guilhem Moulin writes ("Re: Support WKD (and WKS) for @debian.org email
addresses?"):
> On Wed, 07 Nov 2018 at 18:20:16 +, Ian Jackson wrote:
> > Personally I think the hash is bizarre. Why make this protocol depend
> > on an obsolete hash function ? One could just url-encode the email
> > address. The server could deal with case-folding etc.
>
> Dunno if you'll find the arguments convincing, but FWIW this was brought up to
> gnupg-devel in May 2016: see
> https://lists.gnupg.org/pipermail/gnupg-devel/2016-May/031068.html
> and follow-ups in that thread.
Huh.
Well, I followed the breadcrumbs to the spec and found an Internet
Draft. So I decided that the IETF's openpgp list was the right place
to make my comments.
https://www.ietf.org/mail-archive/web/openpgp/current/msg09100.html
Ian.
--
Ian JacksonThese opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Re: Support WKD (and WKS) for @debian.org email addresses?
Hi, On Wed, 07 Nov 2018 at 18:20:16 +, Ian Jackson wrote: > Personally I think the hash is bizarre. Why make this protocol depend > on an obsolete hash function ? One could just url-encode the email > address. The server could deal with case-folding etc. Dunno if you'll find the arguments convincing, but FWIW this was brought up to gnupg-devel in May 2016: see https://lists.gnupg.org/pipermail/gnupg-devel/2016-May/031068.html and follow-ups in that thread. Cheers, -- Guilhem. signature.asc Description: PGP signature
Re: Support WKD (and WKS) for @debian.org email addresses?
W. Martin Borgert writes ("Support WKD (and WKS) for @debian.org email
addresses?"):
> One way to help senders getting the real receivers key is WKD (web key
> directory). That is one HTTPS URL per email address, e.g. a static
> directory with PGP key files. (See https://wiki.gnupg.org/WKD)
This is still an unapproved Internet Draft. So the protocol may yet
change.
Personally I think the hash is bizarre. Why make this protocol depend
on an obsolete hash function ? One could just url-encode the email
address. The server could deal with case-folding etc.
Ian.
Support WKD (and WKS) for @debian.org email addresses?
Hi, just testing the waters, whether this is something people like or not: As we all know, false PGP keys can easily be forged for any given email address and uploaded to key servers. We've been there, even with the correct short key ids and equally faked signatures! One way to help senders getting the real receivers key is WKD (web key directory). That is one HTTPS URL per email address, e.g. a static directory with PGP key files. (See https://wiki.gnupg.org/WKD) Example: To get the public key of Linus Torvalds, you type $ gpg --auto-key-locate wkd --locate-keys torva...@kernel.org which fetches the public key from this URL: https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x Of course, WKD is only about fetching the key. The actual decision to trust or not a key, let alone sign it, does not change by use of WKD. The second thing is WKS (web key service): This is a protocol/tool to publish, update or de-puplish keys via WKD in a standardized form. (See https://wiki.gnupg.org/WKS) Do we want WKD for debian.org, like gentoo.org and kernel.org? TIA for your opinions & Cheers
